Most business leaders have a contextual awareness of cyber risk and the threats facing their organizations. However, this contextual awareness rarely contributes to a clear, consolidated directive that can be applied across the organizations. Further, many organizations struggle to align their cyber risk management initiatives and their organization’s business strategies. This creates operational friction between those responsible for managing enterprise cyber risk and the business leaders’ goal of expanding their market presence, maintaining revenue streams, and developing new products and services. What is needed is an approach that aligns enterprise cyber risk and business strategy in a way that communicates how cyber risk can enable the business to expand its markets, protect revenue streams, and securely develop and deploy new products and services.
To these ends, organizations should look to build strategic security partnerships between business leaders and those responsible for managing enterprise cyber risk. Ideally, this is a directive from the executive leadership team, executive steering committee, or the board of directors. This directive would then empower the CISO, CIO, CRO, or others within the organization responsible for cyber risk to build cooperation across the business. At Coalfire, we’ve seen the following approach successfully deployed in a number of organizations:
- Develop a Cyber Governance Committee/Team
- Members of the committee are derived from business leaders, key stakeholders, and business representatives (i.e., CEO, CLO, CMO, HR, etc.).
- Develop a charter including key cyber risk management strategies, KPIs, and the ability to enforce these strategies and initiatives.
- Establish business-level reporting on upcoming business activities, market initiatives, and product/service development plans.
- Enhance the role of the CISO
- Work with business leaders to translate the technical and tactical components of cyber risk in common business terms and align these to business strategies and initiatives.
- CIO/CEO empowers the CISO to develop the principles and initiatives for managing enterprise cyber risk across the organization, including mitigation strategies and guidelines.
- Develop executive and board of director reporting format and content designed to align business initiatives and cyber risk management strategies and necessities.
- Include executive oversight in cyber risk strategy and budget planning to ensure cyber risk investments are aligned to and enable the business to pursue market initiatives.
Overall, it is becoming a best practice initiative to align enterprise cyber risk and business strategy, especially considering the impact cloud and cloud orchestration are having on business operations and supportive technologies. When factoring in continuous integration and continuous development (CI/CD), speed to market, new regulatory requirements, containerization, and new application development practices, it’s imperative that organizations identify opportunities to partner on managing cyber risk.